Abstract: Dynamic key cryptography validates mobile device users to cloud services by uniquely identifying the user's electronic device using a very wide range of hardware, firmware, and software minutiae, user secrets, and user biometric values found in or collected by the device. Processes for uniquely identifying and validating the device include: selecting a subset of minutia from a plurality of minutia types; computing a challenge from which the user device can form a response based on the selected combination of minutia; computing a set of pre-processed responses that covers a range of all actual responses possible to be received from the device if the combination of the particular device with the device's collected actual values of minutia is valid; receiving an actual response to the challenge from the device; determining whether the actual response matches any of the pre-processed responses; and providing validation, enabling authentication, data protection, and digital signatures.

Abstract: A computer device and method for managing privilege delegation to control execution of commands on files on the computer device is described. An agent plugin intercepts a request in a user account of a logged-in user to execute a command therein on a file having first privileges assigned thereto, wherein the agent plugin is provided for the file. The agent plugin obtains information related to the request and forwards the information to an agent service cooperating with an operating system of the computer device. The agent service determines whether to execute the command on the file in the user account according to second privileges different from the first privileges. The agent service launches an agent proxy process having the second privileges assigned thereto by the agent service if it is determined to execute the command on the file in the user account according to the second privileges.

Abstract: Techniques described herein may be used to centralize authentication and authorization for accessing cloud services provided by different cloud platform deployments. A user equipment (UE) may provide user information to a cloud admin device. The cloud admin device may authenticate and authorize the UE locally and then initiate a sign on procedure with each cloud platform deployment. The sign on procedure may include obtaining user group information for the user and providing the user group information to the cloud platform deployments so that the cloud platform deployments may return permission information without having to each perform an authentication and authorization procedure. The cloud admin device may relay the permission information to the UE, and the UE may use the permission information to access any/all of the cloud services.

Abstract: Embodiments are directed to a method of providing access verification for a system that includes activating a security control device, which is in communications with a host device. The method also includes having the security control device receiving a verification signal coming from outside the system while being locally-based, and comparing the verification signal to a table of stored criteria values. The device then chooses a response based on that comparison and sends an access determination signal based on the response.

Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

Abstract: Systems and methods for detecting and mitigating attacks that exploit vulnerabilities of a website are provided, according to various embodiments described below and herein. A computing device issues a request for a web page that is stored on a server. The server receives a request and issues a response that includes the requested web page and interceptor code injected into the response. The computing device receives the response, renders the web content and generates an interceptor from the interceptor code. The interceptor intercepts requests, responses to dynamically update the webpage and responses containing a challenge. When a computing device issues a request to the server to dynamically update the webpage, the server issues a response to the computing device that includes a challenge. Once computing device issues a request that includes an answer to the challenge, the server validates the answer and issues a response that dynamically updates the webpage.

Abstract: This disclosure is directed to one or more computing services that provide users with secure access to a computing instance, which is auditable and accessible via a cross-platform browser-based shell or command-line interface (CLI). The computing service(s) forego any need to open up inbound ports, thereby improving security. The computing service(s) employ centralized authentication and auditing to ensure compliance with policies and to log activities for auditing, forensics, or other purposes. A message gateway service creates secure channels with a client device and the computing instance to establish a secure communication tunnel between the client device and computing instance. Once the tunnel is established, a user can send a command via the client device to the computing instance, via the message gateway service. The command output is uploaded to this tunnel and is sent back to the client device, via the message gateway service.

Abstract: A telecommunications assembly and a method for traversing an application layer gateway firewall during the establishment of an RTC communication connection between an RTC client and an RTC server using a proprietary RTC signalling protocol, wherein the firewall has no specific knowledge of the proprietary RTC signalling protocol. The RTC client and the RTC server can negotiate during the establishment of the RTC communication connection which of the ports of the firewall are required for the data packets to be exchanged via the RTC communication connection, wherein they use at least one standardised message element as a component of the proprietary RTC signalling protocol, with which information relating to the ports to be used can be found by the firewall.

Abstract: A functional device which surely prevents tampering performed through an external interface in the functional device comprising an external interface which is accessible to an internal functional component is provided. In the functional device, a coupling controller is provided between an external Flash terminal which is an external interface and an internal Flash memory. The coupling controller physically blocks between the external Flash terminal and the internal Flash memory after a Fuse is disconnected except for a case where a certification result in a REG maintains validity. The certification result is validated only while current is carried.

Abstract: This disclosure describes a group-based communication system comprising a group-based communication server and a group-based communication repository. The group-based communication server manages access control parameter discrepancies between a group-based communication channel and a requested resource that is disposed in communication with the group-based communication channel.

Abstract: Disclosed are an elliptic curve point multiplication operation method and apparatus. The elliptic curve point multiplication operation method comprises ordered point multiplication and point addition operations. In a point addition operation process, when scanning that a current bit of a scalar K is not 0, a true point addition operation is executed, and when scanning that the current bit of the scalar K is 0, an equivalent point conversion operation is executed; the result of the true point addition operation and the result of the equivalent point conversion operation are stored in an identical register file, the register file comprising multiple registers. According to the elliptic curve point multiplication operation method and apparatus, side channel analysis and security error attack can be effectively resisted.

Abstract: A private key of a public-private key pair with a corresponding identity is written to an integrated circuit including a processor, a non-volatile memory, and a cryptographic engine coupled to the processor and the non-volatile memory. The private key is written to the non-volatile memory. The integrated circuit is implemented in complementary metal-oxide semiconductor 14 nm or smaller technology. The integrated circuit is permanently modified, subsequent to the writing, such that further writing to the non-volatile memory is disabled and such that the private key can be read only by the cryptographic engine and not off-chip. Corresponding integrated circuits and wafers are also disclosed.

Abstract: A computer-implemented method according to one embodiment includes identifying a storage environment, establishing a baseline associated with input and output requests within the storage environment, monitoring activity associated with the storage environment, comparing the activity to the baseline, and performing one or more actions, based on the comparing.

Abstract: An access control system may include one or more computer processors; a memory, wherein the memory comprises an entitlement database of a resource access manager; a network communication device; and an access control module stored in the memory, executable by the one or more computer processors. The access control module may be configured to: perform the steps of: receiving a request to add one or more entitlement data records to a distributed electronic ledger; validating the one or more entitlement data records; appending the one or more entitlement data records to the distributed electronic ledger; and verifying a first entitlement data record stored in the entitlement database by comparing the first entitlement data record with a first corresponding entitlement data record stored in the distributed electronic ledger, wherein the first entitlement data record and first corresponding entitlement data record are both associated with a first user.

Abstract: A cloud-based system for providing data security, the system having a processor which creates a source data file; wherein the source data file is split into one or more fragments; an encryption key associated with the one or more fragments; and wherein the one or more fragments are encrypted by the encryption key; a plurality of cloud storage providers; wherein the one or more fragments are distributed among the plurality of cloud storage providers whereby no single cloud storage provider possesses all of the one or more fragments; a pointer file which is created on a local computer; wherein the pointer file stores the location of the one or more fragments; and wherein the pointer file is accessed; the encryption key authenticates the plurality of cloud storage providers; the one or more fragments are transferred from the plurality of cloud storage providers to the local computer; and wherein the one or more fragments are reassembled; and the source data file is deleted.

Abstract: Disclosed are various embodiments for automated vulnerability chaining. A vulnerability chaining engine receives data indicating that a plurality of vulnerabilities are present in at least one host. The vulnerabilities are individually assigned a respective default risk score. The vulnerability chaining engine determines that an exploitation of a combination of the vulnerabilities would result in a greater risk score for the host(s) than indicated by the respective default risk scores based at least in part on respective vulnerability types associated with the individual vulnerabilities. A chained risk score that is higher than the respective default risk scores is assigned to the individual vulnerabilities.

Abstract: Described herein are systems and methods for securing transmission of content from a smart card in a host television receiver to a client television receiver. The smart card can receive the encrypted content stream from the television service provider, decrypt the content stream with the global network key, identify the client television receiver as the destination of the content stream, generate a unique key specific to the content stream, encrypt the unique key with a local key known to the client television receiver, encrypt the content stream with the unique key, and transmit the encrypted content stream along with the encrypted unique key to the client television receiver. The client television receiver can then receive the encrypted content stream and the encrypted unique key, decrypt the unique key, decrypt the content stream with the unique key, and transmit the content stream to a display device of the client television receiver.

Abstract: Disclosed embodiments relate to systems and methods for authentication through generating and communicating encoded representations containing unique application fingerprints, e.g., metadata. Techniques include receiving an access request, receiving application metadata, identifying a unique verification token, generating an encoded visual representation including the metadata and verification token, making available to the encoded visual representation for scanning by a user for verification of the metadata. Further techniques include requesting access to a secure resource, transmitting metadata, scanning an encoded visual representation including the metadata and a verification token, and sending the verification token to a security server to complete an authentication process.

Abstract: A blockchain hierarchy comprises an arrangement of blockchain channels organized such that a blockchain channel at a lower level feeds data to another blockchain channel, e.g., a relatively higher level. At least one blockchain channel comprises a private autonomous subset of peers in the set of peers that comprise the blockchain network. Within that particular subset, one of the peers is elected as a leader entity, which has the capability of also joining another private or public blockchain channel, e.g., one at a higher level in the hierarchy. The leader entity includes a capability to enforce a data protection policy within the blockchain channel that it leads. To this end, the leader filters or declassifies data based on some task-specific (or blockchain channel-specific) data protection policy, and it then makes that data available to one or more other blockchain channels in the hierarchy (directly or indirectly).

Abstract: Apparatuses, systems, and methods for providing security in an intelligent electronic device (IED) are provided. In one aspect of the present disclosure, an IED is provided including at least one processor that receives a communication via a communication interface, the communication including an unencrypted file and a digital signature. The at least one processor decrypts the digital signature to obtain a first value, executes a hash function on the unencrypted file to obtain a second value, determines if the first value and second value match, and updates at least one firmware package stored in at least one memory of the IED with the unencrypted file if it is determined that the first value and the second value match.